By Lisa Slotznick
CYBER, ONE OF THE ACADEMY’S MEGA ISSUES FOR THE YEAR, affects all of us due to the pervasive nature of information technology that connects us in our daily transactions.
Various manifestations of information technology—such as phones, computers, email, physical security systems with alarms, and digital security systems with firewalls—interconnect our lives. This interconnected world, in many ways, is a boon—it makes life easier. However, our cyber world can be intimidating because of the opportunities it provides for the “bad guys”—malicious actors intent on doing real harm—to exploit both individuals and businesses by unlawfully manipulating technology for their gain.
To combat these threats, businesses (including the Academy staff) implement cybersecurity plans and training programs. These initiatives aim to protect data and operations from various cyber attacks. As employees, we undergo training and practice exercises to recognize phishing attempts and (hopefully) learn how not to click on links that could get our employers’ systems compromised. On a personal level, we safeguard our credit cards and bank accounts by screening phone calls, avoiding suspicious email links, and protecting our computers from malware. Those of us with children or elderly relatives are particularly concerned about their vulnerability to hackers and scammers.
As actuaries, how these cyber threats impact our work is crucial for us to understand. A recent cyber breach at Change Healthcare,[1] owned by UnitedHealthcare, significantly affected multiple health care providers’ ability to process claims transactions, including payments. The interconnected way that Change Healthcare operates led directly to this breach affecting many health care providers. Hmm—payment transactions sounds like a data source for actuaries to use in estimating financial statement balances and new rates for products. A perfect time to review ASOP No. 23, Data Quality, and ASOP No. 41, Actuarial Communications, to help determine whether the data being used remains appropriate, needs adjustment, or requires additional disclosures. This breach has also sparked significant discussion at the National Association of Insurance Commissioners.
The implications of cyber breaches extend beyond data quality, affecting protected personal data, the viability of small providers experiencing a payment delay, and liability associated with the damages caused by the breach.
How do companies pay for the expenses and liabilities associated with breaches? Many turn to various insurance products that indemnify them for some of the losses associated with such events. The cyber insurance market is expanding rapidly in response to the increasing occurrence of ransomware and other malicious attacks. Hmm, actuaries price and reserve for these products.
Given the extensive potential impact of cyber issues, the Academy’s Committee on Cyber Risk has developed the Cyber Risk Toolkit. This resource covers a range of topics, including the basics of cyber threats, basic insurance product descriptions, data related to threats, “silent cyber,” ransomware, cyber terrorism, autonomous vehicles, and personal cyber, among others.
Expect the Academy to conduct additional research in the cyber arena, from both a data standpoint and by way of additional analysis of the volume of threats.
Where does this leave us? Fundamentally, go back to the actuarial basics: understand your data and the underlying operations of the source of the data. Gain insight into the flow of information and consider cyber threats within the risk management framework of insurance companies, including potential cyberattacks into stress testing scenarios. Pay attention to corporate risk management strategies, especially those related to disaster recovery plans.
Then apply all these principles to your personal world as well.
We cannot let fear of a negative outcome from our cyber world paralyze us to inaction. Adopt a risk management approach to data protection—for both your company’s and your personal cybersecurity.
Oh, by the way—this is still an election year. We may hear about the bad guys using cyber terrorism to interfere with the election through social media or other means. In the process of staying informed, avoid getting too alarmed or caught up in conspiracy theories. Trust in our election system’s security and robustness. May our election process remain secure, and our systems resilient.
LISA SLOTZNICK, MAAA, FCAS, is president of the Academy.
Endnote
[1] “Change Healthcare cyberattack was due to a lack of multifactor authentication, UnitedHealth CEO says”; Associated Press; May 1, 2024.